Governance, Risk and Compliance, Content

California Expands Privacy Law to Include Passport, Biometric Data

Passports and biometric data belonging to California residents are now included in the types of personal information covered by the state’s sprawling Consumer Privacy Act (CCPA).

California Assembly Bill 1130 was among a flurry of last call revisions ahead of the legislation’s January 1, 2020 enactment. The expanded list of protected personal information is part of seven legislative proposals to augment the data privacy statute that made it under the wire for Governor Gavin Newsom’s signature. The measure, which is sponsored by Assemblyman Marc Levine (D), also includes taxpayer and military identification numbers, and other unique government identification numbers. A.B. 1130 is the only one of the amendments to the CCPA to alter the actual text of the bill.

The law, which resembles the European Union’s General Data Protection Regulation, gives the state’s 40 million residents the right to require a business to disclose the types of personal information it collects on the consumer, where that information is collected and whether it’s being sold or shared, and to opt out of the whole thing. Violators could be docked up to $7,500 for each infraction.

The tweaks to the CCPA come a few days after the California Attorney General’s (AG) office published the first draft of its implementation regulations designed to provide businesses with guidance on how to comply with the law. The AG is required to issue finalized guidelines by July 1, 2020.

At this point, a startling lack of readiness and preparation by the business community only weeks away from the legislation’s launch date was uncovered in a recent poll of 625 business owners and company executives conducted by the San Diego, California-based IT security provider ESET. The findings revealed that 44 percent of the respondents had never heard of the bill and the same percentage said it didn’t apply to them. Only 12 percent said their businesses will be affected by the law while 34 percent said they don’t know if they will need to change how they capture, store and process data to comply. Of particular note, nearly 71 percent of businesses in the survey said they were not relocating out of California to avoid the legislation.

Biometric data may be the next big target for personal identity cyber crooks. Last August, security researchers discovered a huge data breach that riddled a web-based biometric security smart lock platform called BioStar 2 used by administrators to control access and manage permissions. In the breach, cyber crooks gained access to more than a million fingerprints and other sensitive data, including photographs of people and facial recognition data. The break-in was the second such leak of sensitive biometric data, the first of which occurred in June and affected U.S. Customs and Border Protection.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.